Description of problem: firewalld logs many messages of the type: firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0' failed: Illegal target name 'libvirt-J-vnet0'. firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0' failed: Illegal target name 'libvirt-P-vnet0'. firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-J-vnet0' failed: Chain 'libvirt-J-vnet0' doesn't exist. firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-J-vnet0' failed: Chain 'libvirt-J-vnet0' doesn't exist. firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-P-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist. firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-P-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist. firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F J-vnet0-mac' failed: Chain 'J-vnet0-mac' doesn't exist. firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X J-vnet0-mac' failed: Chain 'J-vnet0-mac' doesn't exist. firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F J-vnet0-arp-mac' failed: Chain 'J-vnet0-arp-mac' doesn't exist. firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X J-vnet0-arp-mac' failed: Chain 'J-vnet0-arp-mac' doesn't exist. firewalld[1490]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0' failed: iptables v1.4.21: goto 'FO-vnet0' is not a chain Version-Release number of selected component (if applicable): firewalld-0.6.3-2.el7_7.2.noarch rhvh-4.3.7.1 vdsm-4.30.38-1.el7ev.x86_64 kernel-3.10.0-1062.9.1.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. In a RHVH 4.3 host in a firewalld cluster type, check the firewalld logs: # journalctl -b -u firewalld Actual results: Many warnings, but everything is working as expected and the iptables rules are configured Expected results: If possible, it would be ideal to not have these warnings. Additional info:
Test version: rhvh-4.3.7.1-0.20191211.0+1 firewalld-0.6.3-2.el7_7.2.noarch vdsm-4.30.38-1.el7ev.x86_64 kernel-3.10.0-1062.9.1.el7.x86_64 Test steps: 1. In a RHVH 4.3 host 2. Register RHVH to engine with firewalld cluster type. 3. Contact nfs storage. 4. Create VM. 5. Check the firewalld logs: # journalctl -b -u firewalld -- Logs begin at Wed 2020-01-15 05:41:00 UTC, end at Wed 2020-01-15 06:10:01 UTC. -- Jan 15 05:41:09 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon... Jan 15 05:41:10 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon. I can't reproduce this issue, is there other step? Thanks.
I am seeing those messages as well, not on rhvh but on rhel + rhv hypervisor. I see them when migrating VMs to the hypervisor.
Ok, yes, the messages appear when live migrating VMs in or out of a host. Test steps: 1. Have a cluster of 2 RHVH 4.3 hosts. Cluster of type firewalld. 2. Live migrate HostedEngine to one host, in this case rhvh43-01 3. Check the journal in the moment of the migration: # journalctl -b -u firewalld -u vdsmd ene 15 09:08:58 rhvh43-01.laptop.lab vdsm[3894]: WARN ping was deprecated in favor of ping2 and confirmConnectivity ene 15 09:08:59 rhvh43-01.laptop.lab vdsm[3894]: WARN Attempting to add an existing net user: ovirtmgmt/991baeb2-30b5-4be4-935e-5bb3950438d7 ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0' failed: Illegal target name 'libvirt-J-vnet0'. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0' failed: Illegal target name 'libvirt-P-vnet0'. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-J-vnet0' failed: Chain 'libvirt-J-vnet0' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-J-vnet0' failed: Chain 'libvirt-J-vnet0' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-P-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-P-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F J-vnet0-mac' failed: Chain 'J-vnet0-mac' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X J-vnet0-mac' failed: Chain 'J-vnet0-mac' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F J-vnet0-arp-mac' failed: Chain 'J-vnet0-arp-mac' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X J-vnet0-arp-mac' failed: Chain 'J-vnet0-arp-mac' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0' failed: iptables v1.4.21: goto 'FO-vnet0' is not a c Try `iptables -h' or 'iptables --help' for more information. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0' failed: iptables v1.4.21: goto 'FO-vnet0' is not a chain Try `iptables -h' or 'iptables --help' for more information. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0' failed: iptables v1.4.21: goto 'FI-vnet0' is not a chain Try `iptables -h' or 'iptables --help' for more information. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0' failed: iptables v1.4.21: goto 'HI-vnet0' is not a chain Try `iptables -h' or 'iptables --help' for more information. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -F FO-vnet0' failed: iptables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -X FO-vnet0' failed: iptables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -F FI-vnet0' failed: iptables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -X FI-vnet0' failed: iptables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -F HI-vnet0' failed: iptables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -X HI-vnet0' failed: iptables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -E FP-vnet0 FO-vnet0' failed: iptables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -E FJ-vnet0 FI-vnet0' failed: iptables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -E HJ-vnet0 HI-vnet0' failed: iptables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0' failed: ip6tables v1.4.21: goto 'FO-vnet0' is not a Try `ip6tables -h' or 'ip6tables --help' for more information. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0' failed: ip6tables v1.4.21: goto 'FO-vnet0' is not a chain Try `ip6tables -h' or 'ip6tables --help' for more information. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0' failed: ip6tables v1.4.21: goto 'FI-vnet0' is not a chain Try `ip6tables -h' or 'ip6tables --help' for more information. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0' failed: ip6tables v1.4.21: goto 'HI-vnet0' is not a chain Try `ip6tables -h' or 'ip6tables --help' for more information. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -F FO-vnet0' failed: ip6tables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -X FO-vnet0' failed: ip6tables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -F FI-vnet0' failed: ip6tables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -X FI-vnet0' failed: ip6tables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -F HI-vnet0' failed: ip6tables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -X HI-vnet0' failed: ip6tables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -E FP-vnet0 FO-vnet0' failed: ip6tables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -E FJ-vnet0 FI-vnet0' failed: ip6tables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -E HJ-vnet0 HI-vnet0' failed: ip6tables: No chain/target/match by that name. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0' failed: Illegal target name 'libvirt-I-vnet0'. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0' failed: Illegal target name 'libvirt-O-vnet0'. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-I-vnet0' failed: Chain 'libvirt-I-vnet0' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-I-vnet0' failed: Chain 'libvirt-I-vnet0' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-O-vnet0' failed: Chain 'libvirt-O-vnet0' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-O-vnet0' failed: Chain 'libvirt-O-vnet0' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F I-vnet0-mac' failed: Chain 'I-vnet0-mac' doesn't exist. ene 15 09:09:00 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X I-vnet0-mac' failed: Chain 'I-vnet0-mac' doesn't exist. ene 15 09:09:01 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F I-vnet0-arp-mac' failed: Chain 'I-vnet0-arp-mac' doesn't exist. ene 15 09:09:01 rhvh43-01.laptop.lab firewalld[1491]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X I-vnet0-arp-mac' failed: Chain 'I-vnet0-arp-mac' doesn't exist.
Move to weiwang due to this bug is occurred by Live migrate HostedEngine according #c3 step2
Hi, this happens on every VM, not just the hosted engine. Greetings Klaas
(In reply to Klaas Demter from comment #5) > Hi, > this happens on every VM, not just the hosted engine. > > Greetings > Klaas I still can't reproduce this issue with regular Live migrate without hosted engine.
Let's try with Live migrate HostedEngine to see the result, will update ASAP.
Test Version rhvh-4.3.7.1-0.20191211.0 firewalld-0.6.3-2.el7_7.2.noarch vdsm-4.30.38-1.el7ev.x86_64 kernel-3.10.0-1062.9.1.el7.x86_64 Test Steps: 1. Install two host with rhvh-4.3.7.1-0.20191211.0 2. Register Host1 to RHVM with firewalld cluster type 3. Create vm(RHEL-7.7) on host1 4. Register host2 to RHVM with the same cluster during step 3 5. "#journalctl -b -u firewalld" in host2 Result: Many warnings in firewalld logs [root@hp-dl388g9-04 ~]# journalctl -b -u firewalld -- Logs begin at Thu 2020-01-16 11:54:28 CST, end at Thu 2020-01-16 15:31:18 CST. -- Jan 16 11:54:37 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon... Jan 16 11:54:38 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0' failed: Illegal target name 'lib Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0' failed: Illegal target name 'li Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-J-vnet0' failed: Chain 'libvirt-J-vnet0' doesn't exist. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-J-vnet0' failed: Chain 'libvirt-J-vnet0' doesn't exist. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F libvirt-P-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X libvirt-P-vnet0' failed: Chain 'libvirt-P-vnet0' doesn't exist. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F J-vnet0-mac' failed: Chain 'J-vnet0-mac' doesn't exist. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X J-vnet0-mac' failed: Chain 'J-vnet0-mac' doesn't exist. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -F J-vnet0-arp-mac' failed: Chain 'J-vnet0-arp-mac' doesn't exist. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ebtables --concurrent -t nat -X J-vnet0-arp-mac' failed: Chain 'J-vnet0-arp-mac' doesn't exist. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0' failed: Try `iptables -h' or 'iptables --help' for more information. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0' failed: iptables v1.4.21: go Try `iptables -h' or 'iptables --help' for more information. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0' failed: iptables v1.4.21: goto Try `iptables -h' or 'iptables --help' for more information. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0' failed: iptables v1.4.21: Try `iptables -h' or 'iptables --help' for more information. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -F FO-vnet0' failed: iptables: No chain/target/match by that name. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -X FO-vnet0' failed: iptables: No chain/target/match by that name. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -F FI-vnet0' failed: iptables: No chain/target/match by that name. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -X FI-vnet0' failed: iptables: No chain/target/match by that name. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -F HI-vnet0' failed: iptables: No chain/target/match by that name. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -X HI-vnet0' failed: iptables: No chain/target/match by that name. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -E FP-vnet0 FO-vnet0' failed: iptables: No chain/target/match by that name. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -E FJ-vnet0 FI-vnet0' failed: iptables: No chain/target/match by that name. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w -E HJ-vnet0 HI-vnet0' failed: iptables: No chain/target/match by that name. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0' failed Try `ip6tables -h' or 'ip6tables --help' for more information. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0' failed: ip6tables v1.4.21: Try `ip6tables -h' or 'ip6tables --help' for more information. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0' failed: ip6tables v1.4.21: go Try `ip6tables -h' or 'ip6tables --help' for more information. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0' failed: ip6tables v1.4.2 Try `ip6tables -h' or 'ip6tables --help' for more information. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -F FO-vnet0' failed: ip6tables: No chain/target/match by that name. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -X FO-vnet0' failed: ip6tables: No chain/target/match by that name. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -F FI-vnet0' failed: ip6tables: No chain/target/match by that name. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -X FI-vnet0' failed: ip6tables: No chain/target/match by that name. Jan 16 15:01:56 hp-dl388g9-04.lab.eng.pek2.redhat.com firewalld[1322]: WARNING: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w -F HI-vnet0' failed: ip6tables: No chain/target/match by that name. QE can reproduce this issue, without migration and HostedEngine environment. cshao, It is not related to hosted engine, so moving this bug back to you.
Thanks weiwang.
Not sure if infra or network. It reproduces on any RHEL host too.
Laine, can you please have a look? Do you consider this as libvirt isssue worth addressing in rhel-7? Thanks.
I can't see us addressing this in RHEL-7 as it would be quite a risky change. IIRC, we have an equiv bug against RHEL-8 already, and even there it will be tricky to address.
Yeah, the problem is that we need "catch-all" code that will remove any and all stray rules that may have been left over from some previous shenanigans, and (in RHEL7) all of our rules are on the standard chains so they need to be removed individually, and each attempt to remove a rule that doesn't exist results in a warning log from firewalld. The choice, then, is to either check for the presence of each rule before removing it (meaning that it will take up to 2x as long to complete the operation) or toi suppress the warning logs in firewalld, but firewalld doesn't provide any way to do that and has said in the past that they don't want to provide it. In RHEL8 it maybe be possible to take advantage of the fact that libvirt iptables rules are all on private chains used only by us (so possibly we could do a mass delete before re-adding) but even that probably won't eliminate 100% of the warnings
Hi The bug was open almost 10 months ago nonetheless is still in status open Even if the bug is not causing disruption is white noise which can trigger alarms etc Can someone pls take care thanks Francesco
Dan pointed out to me in IRC the other day that calling iptables directly rather than via firewalld will eliminate these extra messages (since it's firewalld that is logging them), and that's something we'd already talked about doing (because in the end there is no gain for going through firewalld in this case). I'm working on that now.
Note that the current state of affairs is that when firewalld is enabled, libvirt uses dbus to call firewalld, and firewalld then execs iptables with the arguments sent by libvirt - it doesn't gather information from the arguments from libvirt, and doesn't take any other action. *Except* that if the exec of iptables returns an error, firewalld will log whatever came in on stderr from iptables to the system journal, and then return an error code to libvirt. If firewalld is disabled (whether or not the iptables service is enabled) then libvirt execs iptables directly, stderr from the iptables command goes back to libvirt. The result will be that the same rules are loaded, but libvirt is free to ignore the error and discard the stderr output. Whether or not the iptables.service is enabled doesn't make any difference - afaik that service just loads some rules each time it is started, and does nothing else.
I've pushed patches to upstream to switch libvirt to directly running iptables/ebtables rather than going through firewalld, as mentioned in Comment 23. This eliminates the extraneous log messages from firewalld. This change will be included in upstream libvirt-6.10.0. commit e66451f685e29ffe4be5a060ef64b19961ad4bb5 Author: Laine Stump <laine> Date: Mon Nov 16 19:20:53 2020 -0500 util/tests: enable locking on iptables/ebtables commandlines in unit tests ommit 0a867cd895f06134d24eb27070285bb4b50c088f Author: Laine Stump <laine> Date: Mon Nov 16 20:02:43 2020 -0500 util/tests: enable locking on iptables/ebtables commandlines by default commit e9693502fb63ce5ddd07d2599daddc563c422eed Author: Laine Stump <laine> Date: Tue Nov 17 13:51:45 2020 -0500 tests: fix iptables test case commandline options in virfirewalltest.c commit c102bbd3efc358fb44fa2bb37fb0bcbeaaab72a5 Author: Laine Stump <laine> Date: Mon Nov 23 09:48:29 2020 -0500 network: be more verbose about the reason for a firewall reload commit 56dd128bd06c38fab4256a098124d47d803e919a Author: Laine Stump <laine> Date: Mon Nov 16 20:17:05 2020 -0500 util: always check for ebtables/iptables binaries, even when using firewalld commit 070690538a1ed301b004c542d94b13ee9bffc9d6 Author: Laine Stump <laine> Date: Mon Nov 23 14:39:40 2020 -0500 util: synchronize with firewalld before we start calling iptables directly commit b19863640d10b47b7c4a7cbadb21f196d61d96a2 Author: Laine Stump <laine> Date: Tue Nov 17 10:55:12 2020 -0500 util: call iptables directly rather than via firewalld
Reproduce the bug by: 1. Start the libvirtd while the firewalld is active; 2. start a vm with interface connected to default network and set with nwfilter; 3. restart firewalld; 4. check the logs by "# journalctl -b -u firewalld", there will be brunch of firewalld warnings; update libvirt to libvirt-6.10.0-1.module+el8.4.0+8898+a84e86e1.x86_64, and test with above steps, no such firewalld warning any more. The bug is fixed.
1. restart libvirtd while firewalld is active; 2. start a vm with interface as below: <interface type='network'> <mac address='52:54:00:66:27:f8'/> <source network='default' portid='0d30e838-677d-4614-8cd6-87f6078267cd' bridge='virbr0'/> <target dev='vnet0'/> <model type='virtio'/> <filterref filter='clean-traffic'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> 3. save the rules: # iptables-save > ipv4.before # ip6tables-save > ipv6.before # ebtables -t nat -L > ebtables.before 4. # systemctl restart firewalld # iptables-save > ipv4.after # ip6tables-save > ipv6.after # ebtables -t nat -L > ebtables.after compare the rules, there are no difference. 5. # journalctl -b -u firewalld # (no warnings as in comment 0) 6. check the libvirt zone info: # firewall-cmd --info-zone libvirt libvirt (active) target: ACCEPT icmp-block-inversion: no interfaces: virbr0 sources: services: dhcp dhcpv6 dns ssh tftp ports: protocols: icmp ipv6-icmp masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:av bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2098